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Abstract 

In this article we give explicit formulae for a lift of the relative Frobenius 
morphism between elliptic curves and show how one can compute this lift 
in the case of ordinary reduction in odd characteristic. Our theory can 
also be used in the case of supersingular reduction. 

By means of the explicit formulae that describe a Frobenius lift, we are 
able to generalize Mestre's 2-adic arithmetic geometric mean (AGM) se- 
quence of elliptic curves to odd characteristic, and prove its convergence. 
As an application, we give an efficient point counting algorithm for ordi- 
nary elliptic curves which is based on the generalized AGM sequence. 
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1 Introduction 

In this article we give formulae which describe a lift of the relative Frobenius 
morphism for a given elliptic curve over the p-adic numbers, where p is an odd 
prime. These formulae are universal in the sense that they can be used in the 
case of ordinary reduction, and in the supersingular case as well. 

Let us first give an example in the case of ordinary reduction. Consider the 
elliptic curve E over Q which is given by the equation 

y 2 = x{x — l)(x — i), i 2 = — 1. 

The curve E has ordinary good reduction at the prime 3. The normalized third 
division polynomial of E is given by 

ip 3 (T) = T 4 + i(-4i - 4)T 3 + 2iT 2 + \. 
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We set K = Q(z)[T]/(^>3). Let t denote the class of T in the quotient ring K. 
Over K the polynomial -03 decomposes into irreducible factors as follows 

(T - t) ■ (V 3 + (t + i(-4i - 4))T 2 + (i 2 + -(-4i - 4)t + 2-i)T + (t 3 + i(-4i - 4)t 2 + 2*t) J . 

In the following we consider the curve E as defined over the field K. There 
exists an isogeny F : E — > i?^ 3 \ where the curve is given by the equation 



»(i - t) 



1 - t J V i-* 



such that F reduces modulo 3 to the relative 3-Frobenius morphism. Also, 
using the formulae of Theorem 13-11 one can compute explicit formulae for the 
isogeny F as a pair of rational functions. We will not go into the details of this 
computation here. 

Now consider the elliptic curve E given by the equation 

y 2 = x(x -l)(x- 2) 

over Q. The curve E has supersingular good reduction at the prime 3. The 
normalized third division polynomial of E is given by 

3 (T) = T 4 - 4T 3 + AT 2 - -. 

3 

We set K = Q[T]/(ip 3 ). Let i denote the class of T in the quotient K. Over K 
the polynomial ijj3 decomposes in irreducible factors as follows 

(T - f) • (T - (2 - 1)) ■ (T 2 - 2T + (t 2 - 2t)) . 

In the following we consider E to be defined over K. Now assume that we have 
chosen a 3-adic embedding of K such that i is a non-unit. Then the image curve 
E^ of a lift of the relative Frobenius F : E -> £( 3 ) can be given by 



y 2 = x ■ \ x = I • [ x 



8(1 - 1) 



1-tJ V 2-t 

Next let us explain the relevance of the results of this article to the algorith- 
mic application. Let A be an abelian scheme over a p-adic local ring, and let A 
have ordinary reduction. It is a classical result that there exists a canonical lift 
F : A — > A^ of the relative p- Frobenius morphism. By iterating the lifting one 
obtains a sequence of abelian schemes 

A 4 A^ 4 A ^ - . . . 

Let Ao denote the reduction of A, where we assume Aq to be defined over a 
finite field ¥ q with q elements of characteristic p > 0. There exists a canonical 
lift A* of Aq which is characterized by the property that the reduction map on 
endomorphisms is bijective. It is a fundamental result that one has 

lim A^ = A* (1) 
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with respect to the p-adic topology. The precise statement and a proof are given 
in Section [2j 

In the following let p = 2. We restrict our attention to the case where A is 
an elliptic curve. The convergence theorem ([T]) forms the basis of Mestre's AGM 
point counting algorithm (see the private conversation [11]). An essential step 
in this algorithm is to compute the arithmetic geometric mean (AGM) sequence 

(a n ,b n ) = ^ a " -1 1 bn ~ 1 ; ^a„_ib»_ij (2) 

in a 2-adic local field with finite residue field F 9 of characteristic 2. It turns out 
that the sequence © describes the coefficients of a sequence of elliptic curves 
with ordinary good reduction 

E n ■ y 2 = x(x - a 2 n ){x - b*), n>0, (3) 

and Frobenius lifts 

F F 

Eq — > Ei — > E 2 — > . . . 

where by (fTJ) the subsequence E& m with d — log 2 (q) approximates 2-adically the 
canonical lift of the reduction of Eq . For a higher dimensional generalization of 
Mestre's algorithm see the informal notes [TO]. The theoretical background of 
the higher dimensional AGM sequence is given in [3] . 

In this article we give an analogue of Mestre's sequence of elliptic curves ([3]) 
in odd residue class field characteristic. Using the explicit formulae for a lift of 
the relative Frobenius, we are able to define a 2-parameter analogue of Mestre's 
2-adic AGM sequence. We apply our results to the point counting problem on 
ordinary elliptic curves over finite fields of odd characteristic. We prove that, if 
E is an ordinary elliptic curve over a finite field ¥ q with q elements of character- 
istic p > 2, then one can give an algorithm for the computation of the number 
of rational points #E(W q ) which has the time complexity 0(p 2+e log p (q) 3+e ) for 
all e > 0. The algorithm that we give is based on the computation of the p-adic 
analogue of Mestre's 2-adic AGM sequence. 

Leitfaden 

In Section [2] we give a proof of the convergence theorem for the p-adic scheme 
theoretic analogue of Mestre's AGM sequence. In Section [3] we give explicit 
formulae for a lift of the relative Frobenius in the elliptic curve case. In Section 
[5]we give an algorithmic application of these formulae. In Section [6] we give an 
example of the generalized p-adic AGM sequence. 

2 Canonical Frobenius lift in the ordinary case 

In this section we give some theoretical background on Frobenius lifts. Let R 
be a complete noetherian local ring. We assume R to have perfect residue class 
field k of characteristic p > 0. By m.R we denote the maximal ideal of R. Let 
7r : A — > Spec(i?) be an abelian scheme which has ordinary reduction. 
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Proposition 2.1. There exists an abelian scheme 7P p ) : A^ — ► Spec(i?) and a 
commutative diagram of isogenics 




such that the reduction of F fits into the following diagram commutative 




Spec(/c) — '—^ Spec(fc) 



where f p denotes the absolute p-Frobenius and where pr : A^ — > Ak is a mor- 
phism which makes the square Cartesian. In other words, the isogeny F is a lift 
of the relative p-Frobenius morphism. The isogeny F is uniquely determined by 
the condition 

Kei(F) = A[p} loc 

where ^4[p] loc denotes the connected component of the zero element in the finite 
flat group A[p\. 

Proof of Provosition \2. 1\ In order to prove Proposition 12 . II we need the follow- 
ing classical result. 

Claim 2.2. Let A be an abelian scheme over a noetherian ring R and G a finite 
flat subgroup of A. Then the quotient sheaf Aj G is representable by an abelian 
scheme. The quotient map A — > A/G is an isogeny. 

Proof of Claim \2.2\ We only sketch the proof of the claim. First assume that 
R is integral and normal. Then A is projective (see [HI Ch.XI,Th.l.4]). Projec- 
tivity implies that every G-orbit lies in some open affine. As a consequence the 
quotient A/G is representable (compare [T31 §5,Th.l]). The general case can be 
deduced from the above special case by the method which is used in the proof 
of [II Ch.LTh.1.9]. □ 

Now let A and R be as in the proposition. It is a classical result that there 
exists an exact sequence of groups 

-> A[pf oc -> A[p] -» A[p] ct -» 
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where A[p] loc is the connected component of the zero element in A[p] and A[p] ct 
is the maximal etale quotient of A[p] by A[p] loc (for a proof see [TTj, §3.7]). By 
Claim 12.21 there exists an isogeny 

F : A -» A® d M A/A[p] loc . 

Because of the relation Ker(F) = A[p] loc C A[p] there exists a commutative 
diagram 




One checks fiberwise that the morphism V is an isogeny. We claim that Ak [p] loc = 
(A[p] [oc ) k . In the following we prove our claim. Let A[p] loc = Spec(C). The 
finite i?-algebra C is connected, i.e. it has only the trivial idempotents and 
1. The same is true for C <£># k, since R is henselian and thus one can lift the 
idempotents of C <S)r k to C (compare [14] Ch. I, §1). This proves our claim. 

The kernel K of the relative Frobenius morphism of A^ has no non-zero 
points over the algebraic closure of k and hence is connected. It follows that 
K C Afc[p] loc . The order of K equals p 9 where g is the relative dimension of A 
over R. By comparing ranks we conclude that the equality K = Ak[p] loc holds. 
This proves the proposition. □ 

By successively dividing out the connected component of the p-torsion one ob- 
tains a sequence of abelian schemes with bonding morphisms 

A 4 AW 4 A^ 2 > - . . . 

In Section [3] we show how this sequence can be made explicit in the case of 
elliptic curves. 

Theorem 2.3. Let B be an abelian scheme over R and let i > 1 be an integer. 

v 

A = B mod 

then 

A (p) ^ B {p) mod m m 

Proof of Theorem \2.3[ The following proof of the theorem was communicated 
to the author by Moonen. We only sketch his proof. For a more detailed version 
of the proof see [H Ch.2]. 

In the following we give a proof in the case where k is algebraically closed. 
In the following let S denote a complete noetherian local ring with algebraically 
closed residue class field k of characteristic p > 0. Let W(k) denote the Witt 
vectors with values in k. Note that there exists a canonical morphism W{k) —* 
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S. Assume that we are given an ordinary abclian variety Aq over k. Let Def (Aq) 
denote the functor which associates to every local ring S as above the set of 
isomorphism classes of pairs (A, tp) , where A is a formal abelian scheme over S 
and tp is an isomorphism Ak — > Aq. 

Fact 2.4. TTie functor Def (-Ao) * s representable by a split formal torus of rel- 
ative dimension g 2 over W(k), where g — dim(Ao). The canonical lift of Aq 
corresponds to the unit element of the formal torus. 

Recall that a split formal torus of relative dimension 1 over W(k), denoted by 
^m,w(k)i is defined as the completion of the multiplicative group & m ,w(k) a t its 
unit section. In higher dimension, we call a formal group over W{k) a formal 
torus if it is isomorphic to a product of copies of the formal group ^m^ik)- 

Now let Fq : Aq — > A P ^ denote the relative p-Frobenius morphism. By 
Proposition 12.11 there exists a canonical induced morphism 

Def (4,) - Dcf(4 p) ) (4) 

which maps (A, tp) to (4 p ) , <p^) . Assume that we have chosen an isomorphism 

Def(4>)^ &i mky 

Fact 2.5. There exists precisely one structure of a formal torus on Def(Ag P ^), 

i.e. an isomorphism Def(Ag P ^) ^mW(k) ! suc ^ that the morphism Q is a 
homomorphism of formal groups. With respect to this choice of a group structure 
the morphism (j4]) is given by the p-th powering morphism. 

The group functor Q m ,w(k) associates to every local ring S as above the multi- 
plicative subgroup 1 + m of S* where m denotes the maximal ideal of S. The 
theorem now follows from the following computation 

(1 + m) p = V ( P ^\ ■ mP- 1 e 1 + m p +pmR C 1 + tn 4+1 , Vm S m\ 



□ 

Let A* denote the canonical lift of Ak- We note that if k is a finite field with 
q = ffk elements then for all n > there exists an isomorphism Ak = A k q ^ . 

Corollary 2.6. Let q = fj=-k < oo. One has 

lim A {qn) = A*, 

n — >oo 

which means that 

(Vn > N) A^ S A* mod m nd+1 

where d = \og p {q). 

Proof. The claim is an immediate consequence of Theorem 12.31 We note that 
one has 

(A*) [q) s A*. 

□ 
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3 Explicit formulae for Frobenius lifts 



In this section we show how the Frobenius lift whose existence is proven in 
Proposition 12.11 can be made explicit. The special case of even residue class 
field characteristic is discussed in Section [57X1 

Let R denote a complete discrete valuation ring with perfect residue field k 
of characteristic p > 2 and K its field of fractions. Let 7r be a uniformizcr of R, 
let v : R — > Z be an exponential valuation such that v (ir) = 1 and let K be an 
algebraic closure of K. We assume K to have characteristic 0. 

Consider an elliptic curve E over K which has good reduction. We assume 
that #E[2](K) = 4. The curve E admits a model 

y 2 = x(x - a)(x - b) (5) 

where a, b € R* and a ^ b mod n. Let the reduction E of E be given by 

y 2 = x{x — a)(x — b), 

where the coefficients 

a = a mod n and b = b mod it 

are in k. Let E^ over k be the elliptic curve with equation 

y 1 =x(x-a p )(x-b p ). 

The isogeny F : E — > E^ over k, which is defined by (ir, y) i— > (cc p , j/ p ) is called 
the relative Frobenius morphism. In the following we will discuss necessary 
conditions for the existence of a lift of the relative Frobenius morphism. 

Assume that we are given a subgroup G < E[p](K) of order p, which is 
defined over K, i.e. a(G) = G for all a € Gal{K/K). Let S C G such that 
5 n —S = and G = S U —5 U {0^}, where 0e denotes the zero section of E. 
We set 

Pi = (0,0), P 2 = (a,0) and ft = (6,0). 
Let x{Q) denote the x-coordinate of a point 0^ ^ Q £ E(K). We define 




and 

9i(?) = [] (x-x(Q + Pi)), i= 1,2,3. 
Qes 

Note that x(Q) ^ for Q e S, since p > 2. Since G is defined over K, the 
polynomials h(x) and gi(a;) are elements of K[x], where i = 1,2, 3. 

Theorem 3.1. Assume that we are given a subgroup G C wii/i #G = 

p, which is defined over K . Suppose G is contained in the kernel of reduction. 
Let be defined by 

y 2 =x(x-a ip) )(x-b (p) ), 
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where 

Then is a non-singular elliptic curve, and there exists an isogeny 

F : E —> E {p) 

given by 

( XV )„( x -9^ x ? nLigiW . \ 

which has kernel G. We have a^ p \b^ S R and h(x),gi(x) € R[x], where 
i = 1,2,3. The curve E^ reduces to E^' and the isogeny F lifts the relative 
Frobenius F. Also we have 

F* (^)=lead(fc)--, 

V y J v 

where lead(h) denotes the leading coefficient of the polynomial h(x). 

Proof. Abstract theory (see |T3|) guarantees the existence of a quotient E^ p > of 
E by G. We will construct suitable coordinate functions x and y on E^ using 
the coordinates x and y on E. Consider the functions x,y : E — > given by 

X[X ' V) h{xf 

and 



The function x has divisor 



2 • E (Q + p - 2 • E (Q) ( 6 ) 

QeG QeG 
and the function y has divisor 

EE(Q+^)-3-E(«)- (7) 

i=i qgg QeG 

We claim that the functions £ and j/ are G-invariant, i.e. invariant under the 
composition with translations given by points of G. There exist G-invariant 
functions on E having the divisors ([6]) and ([7]). The latter is due to the fact 
that by abstract theory the quotient E^ p > exists and we can pull back suitable 
coordinate functions. They differ from x resp. y by a constant. This implies 
the claim. 

We claim that the functions x and y defined above satisfy the equation 

{yf = x- {x-a {p) ) ■ (x-b {p) ). (8) 
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b ^ 2 



One computes 

a- 9l (a) 2 = a- [] (a - x(Q + P,)) 2 = a ■ J] a 2 ■ ( 1 - ) = a? ■ h{bf 

Q£S qes v XW) 

and hence by definition 

x(P 2 ) = a (p \ 

Similarly one gets 

x(P 3 ) = b^. 
It follows that the divisors of (y) 2 and 



x ■ [x — cr 



b ( P )\ 



are equal. Hence these two functions differ by a constant. We determine the 
constant by looking at expansions in z = — ^. One has 

x(z) = + . . . and y(z) = — + . . . 
We set I = lead(/i). Then 

/i(x(z)) 



Since the gi(x), where i = 1, 2, 3, are monic we get 

4_ + ... |_ + ... 

= and y(x(z),y{z)) = — g- 

^2p-2 ~T • • • 2 3p — 3 I • • • 

Hence the above mentioned constant equals 1 and equality ||5J) holds. This 
proves our claim. 

Next we prove that the curve E^ given by equation (|8|) and the morphism 
F :E -> E^ given by 

(x,y) h-> (x(x,y),y(x,y)) 

are defined over R. Let Q £ S. Using the addition formulae (see [16] Ch. Ill, 
§2) we compute 

*(Q + *) = ^ (9) 



z(Q + P 3 ) 



af(Q) - a 
b ■ (x(Q) ~ a) 
x{Q) - b ' 



Note that a point Q e E(K) is in the kernel of reduction if and only if w(a;(Q)) < 
0. It follows by the equations © that «(a;(Q+Pi)) > for Q € 5 and i = 1, 2, 3. 
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As a consequence we get h{x),Qi{x) £ R[x] for i = 1, 2, 3. 

We claim that the isogeny F reduces to the relative Frobenius morphism. 
The congruences 

x(x, y) = x p mod p and y(x,y) = y p mod p (10) 

imply that 

a (p) = a p mod p and b (p) = W mod p. 

By the equations © and v(x{Q)) < we have v(x{Q + Pi)) > for Q E S. It 
follows that 

gi{x) 2 = mod p. 
Since for Q G S we have v[x(Q)) < 0, it follows by the definition of h(x) that 

h(x) = 1 mod p. 

We claim that 

3 

Y[(x-x(Q + Pi)) = y 2 modp. (11) 

i=l 

Let Q £ S. By the equations ([9]) and v(x(Q)) < we have 
x(Q +Pi) = modp, 

and analogously 

+ P3) = 6 mod p. 

This proves the congruence (|lip . We conclude that the congruences (flO|) hold. 
Thus our claim is proven. Beside that, the above discussion shows that a^' and 
are well-defined and that P» is an elliptic curve. 
Finally, we claim that 

F* (^)=lead(fc)--. 

V y J v 

We set 

,/ \ h(x)g 1 (x) + 2x(h(x)g[(x) - h'{x)g 1 {x)) 
32(2)53(2:) 

One computes that 

\y J v 

Since = comes from a global regular differential we deduce that f(x) is constant. 
We have 

/(0)= ^ 0) ' 5l(0) - 5l(0) 



92(0) -g 3 (0) 32 (0) • 53 (0)' 
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Recall that h(x) is normalized with respect to its constant term. The formulae 
© imply that 

x(Q + Fx) • x{Q) = x{Q + P a ) ■ x(Q + P 3 ). 

The claim now follows from the definition of h(x) and Qi(x), where i — 1,2,3. 
This finishes the proof of Theorem 13.11 □ 



Formulae of the same kind, but for separable isogenics, can be found in 18J. 

3.1 Special case: Residue class field of characteristic two 

In this section we recall some results which are due to J.-F. Mestre (see the 
private communication |llj). For lack of a suitable reference we provide proofs 
where necessary. Mestre pointed out that a Frobenius lift in characteristic 2 
can be described by the classical arithmetic geometric mean formulae. This is 
explained in the following. 

Let ¥ q be a finite field of characteristic 2 and let Z 9 denote the ring of Witt 
vectors with values in ¥ q . The field of fractions of Z 9 will be denoted by Q q . 
Let E be a smooth elliptic curve over Z g , in other words an abelian scheme of 
relative dimension 1 over Z g . 

Proposition 3.2. We have E[2] = jU2,z 9 x (Z/2Z)z if and only if Eq q can be 
given by an equation of the form 

y 2 = x{x-a 2 ){x-b 2 ), (12) 

where a,b € Q* such that a ^ ±6, the point (0,0) generates E[2] loc (<Q q ) and 

|ei + 8Z g . 

Proof of Proposition HOI To prove the proposition we need the following fact. 

Claim 3.3. Let E be an elliptic curve over Z g with E[2] = /i2,z, X (Z/2Z)z . 
Then Eq q can be given by a model 

y 2 = x(x-a)(x-p), a,0eQ* q , a^f3, (13) 

where (0,0) generates E[2] loc (Q q ) and | e 1 + WR. 

Proof of Claim \3.S[ We can assume that E is given by the equation (fT3"|) and 
(0,0) generates £[2] loc (Q 9 ). We set A = One casn assume that A G Z q . 
Then 

Let v denote the discrete exponential valuation of Q q which satisfies v(2) = 1. 
Since E has ordinary good reduction one has j(E) ^ mod 2. Hence equation 
(|T3|) implies that 

= 8 + 3w((A - l) 2 + A) - 2v(X) - 2v{\ - 1). (15) 
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An isomorphism to a Weierstrass minimal model is of the form 

(x, y) — > (u 2 x + r, . . .). 

We can assume that the discriminant of the given model is a unit and hence 
u £ Z*. Since (0, 0) is in the kernel of reduction it follows that v(r) < 0. Also we 
have v(u 2 a + r) > and v{u 2 [3 + r) > 0, because the points (a,0) and {(3,0) are 
not contained in the kernel of reduction. We conclude that v{a) = v((3) = v(r) 
which implies v(X) = 0. By (fT5j) we cannot have ^(A— 1) = 0. Hence v(X— 1) > 0, 
and it follows again by that v(X — 1) = 4. This implies the claim. □ 

Now we finish the proof of Proposition 13. 21 Let E be as in the proposition and 
let 

y 2 = x(x — a)(x — (3), a,/3£K*, a ^[3, 

be a model for E over Q q having the properties listed in Claim 13.31 Over 
L = Q q (i) the above curve is isomorphic to the twisted curve E l given by 

y 2 = x(x + a)(x + (3) 

via the isomorphism 

(x,y) (-x,iy). (16) 

Now by [ini Ch.X, Prop. 1.4] we have an equivalence 

a, /3 squares in Q* ^ [2]^(0, 0)(Q,) + 0. (17) 

We claim that the right hand side of ((TTJ) holds. Let G L = Gal(L/Q q ). The 
isomorphism (|T5]) induces an isomorphism of groups E[4](L) ^> E t [4](L). One 
computes <r(P t ) = — (ct(P))' for id ^ o £ Gl- As a consequence 0"(P*) = P* if 
and only if ct(P) = —P. Hence we have 

[2] B 1 (O,O)(Q g )=0 =^> [21^(0,0)^)^0. (18) 

Suppose P e [2] iJ 1 (0, 0)(Q 9 ). Let Q be a point of order 2 which does not lie in 
the kernel of reduction. Then 

[2]b X (0, 0)(Q fl ) = {P, -P, P + Q, -(P + Q)}. 

Two of these four points have to be in the kernel of reduction. Thus the points 
of P[4] loc are rational over Q q . This implies i £ Q q which is a contradiction. 
Since the converse direction in Proposition [22] is trivial, this finishes the proof. 

□ 

Assume now that E satisfies the equivalent conditions of Proposition EOl and let 
EtQ q be given by equation (I12p . By our assumption E has ordinary reduction. 
The condition ^ £ 1 + 8Z q implies that - is a square in Z q . We set in analogy 
to the classical AGM formulae 

a + b ~ i— [b , „. 

a= — - — , b=yab~ay—, (19) 

where we choose J | £ 1 + 4Z g . 
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Proposition 3.4. Let E^> be defined as in Section^ The curve Eq^ admits 
the model 

y 2 = x(x-d 2 ){x-b 2 ) (20) 
where the point (0,0) generates £ (2) [2] loc (Q,) and | e 1 + 8Z q . The isogeny 

' (x + ab) 2 y(ab — x) (ab + x) 



<ix ' 8x 2 



Proof. It is straight forward to verify that the curve Eq is isogenous with the 
elliptic curve 

9 ,= x .Lf^Y).Lf^Y) (21) 



{,,y)»[^ Vlab ~f}f + XY ) (22) 



via the isogeny 

, Ax 2 ' 8a; 
which has kernel equal to 

£[2] loc (Q g )H(0,0)). 

The point (0, 0) on the curve defined by (|21[) is not in the kernel of reduction, 
because it is the image of the point (a 2 ,0) or (b 2 ,0), where each of the latter 
points induces a non-trivial point in E[2] ct (Q q ) . Consider the x-coordinates 

a — b\ 2 . /a + 6 X 2 



and 



of the other two 2-torsion points. The one with the smaller valuation is the 
x-coordinate of the 2-torsion point in the kernel of reduction, because an iso- 
morphism over Q 9 to a minimal model preserves the ordering given by the 
valuations. Let v be a discrete exponential valuation of Q q such that v(2) = 1. 
Since b/a E 1 + 8Z g it follows that 

v(a + b) = via) + v(l + -) = via) + 1 < v(a) + v(l - -) = via - b). 

a a 

The transformation 

(^y)-(^-(^) 2 ,y) (23) 

yields the model (|2"D|) . The proposition now follows by composing the morphisms 
(HU) and dH]). □ 
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4 Torsion points on ordinary elliptic curves 

Let if be a field of characteristic ^ 2. Suppose we are given an elliptic curve E 
over K by an equation 

y 2 = x(x - a)(x - b) (24) 

where a,b £ K* and a/i. In this section we introduce the so-called division 
polynomials, which describe the torsion points of E. 

Definition 4.1. Let 

ipo = 0, ijJi = 1, V2 = 2y 
tp 3 = 3x 4 - 4(a + b)x 3 + 6abx 2 - {abf 
ip 4 = 2y(2x 6 - 4(a + b)x 5 + lOabx 4 - 10(ab) 2 x 2 
+4{ab) 2 {a + b)- 2(ab) 3 ) 

1P21+1 = in+2ip? - i/>i-ii>f +1 , 1 > 2, 

The polynomial ip m (x,y), m>0, is called the m-th division polynomial of E. 

The polynomial vp m (x,y) defines a function on E. Let K denote an algebraic 
closure of K. The following proposition is classical. 

Proposition 4.2. Let m > 2. Assume that K — K. Then the function 
4>m ■ E — > P^, (x,y) 1 ^ ip m (x,y) 

has divisor 

J2 de gi [m]-(P) - m 2 -(0 E ), 

PeE[m](K) 

where 0e denotes the point at infinity and degjm] the degree of inseparability 
of the isogeny [m] : E — > E. 

In the following we assume that m > 3 is an odd integer. By induction one 
proves that the variable y in tp m (x,y) occurs only with even exponent. Substi- 
tuting successively y 2 by x(x — a)(x — b) we get a polynomial in the variable x. 
We denote the resulting polynomial by ip m (x). Choose S C E[m](K) such that 

5 n -S = and E[m](K) = S U -S U {0 E }- 

Corollary 4.3. There exists a constant cG K such that 

iP m (x)=cH(x-x(P)) d ^ [m] (25) 
Pes 

where x(P) denotes the x-coordinate of P. 7/dcgJm] = 1, then 
deg(V> p ) = ^— — - and c = m. 
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Proof. The first claim follows from Proposition 14.21 since the function on the 
right hand side of equation (|25|) has the same divisor as ip m (x). Now assume 
that degj[m] = 1. This implies that ip m (x) has degree (m 2 — l)/2. Using 
induction on m one shows that the coefficient of ip m (x) equals m. 

This implies the second claim. □ 

Now let ¥ q be a finite field of characteristic p > 2. Let Z g be the ring of Witt 
vectors with values in ¥ q and let Q q be the field of fractions of 1 q . Assume 
that a, b £ Z* and a b mod p, where a and b are the coefficients of the elliptic 
curve ([24]) . By our assumption, the model (|24[) is a Weierstrass minimal model 
and E has good reduction. Let v p be an additive discrete valuation of Q q which 
is assumed to be normalized such that v p (p) = 1. 

Proposition 4.4. The curve E has ordinary reduction if and only if the Newton 
polygon of ^ip p (x) with respect to v p is as in Figure [1] 

Proof. Let ip p (x) £ Z q [x) denote the p-th division polynomial on E and ^p p (x) £ 
¥ q [x] its reduction modulo p. The degree of inseparability of [m] on E equals 
1. By Corollary 14.31 the polynomial ip p {x) has degree (p 2 — l)/2 and leading 
coefficient p. We choose an extension of v p to Q q , that we denote by the same 
symbol v p . Note that Q £ E(Q q ) is in the kernel of reduction if and only if 
v p (x(Q)j < 0. Since p > 2, the x-coordinates of points in E[p](Q q ), which are 
not in the kernel of reduction, have valuation 0. 

Suppose that E has ordinary reduction. This means that #E(¥ q ) = p and 
the degree of inseparability of the isogeny \p] on E equals p (compare [16] Ch.III, 
Corollary 6.4). By the above discussion the Newton polygon of -i\) p {x) has a 
segment of slope and length p(p— l)/2. Also it has a segment of strictly posi- 
tive slope, which has length (p— l)/2 and corresponds to the points of E[p](Q q ) 
lying in the kernel of reduction. Since by Corollary 14.31 the leading coefficient 
of ip p (x) equals p and v p is integer valued on Q q , we conclude that the constant 
term of ip p (x) has valuation and the segment of strictly positive slope of the 
Newton polygon of ~ijjp(x) is a straight line. 

Suppose that E has supersingular reduction. Then #E(¥ q ) = 1. By Corol- 
lary [L3] the reduced polynomial ip P (x) equals a constant. This implies that the 
Newton polygon of ~ip p (x) has strictly positive slope. This finishes the proof of 
the proposition. □ 

For more details about division polynomials we refer to [9] Ch.II, [5] and [1]. 

Corollary 4.5. Let E have ordinary reduction. Then there exists a subgroup 
G < E[p](Q q ) defined over Q q , which is uniquely determined by the conditions 
that it is of order p and lies in the kernel of reduction. 

Proof. Assume that E is an elliptic curve which has ordinary reduction. By 
Proposition 14.41 it follows that there are precisely p points of order p on E lying 
in the kernel of reduction. Let 0e ^ P £ E[p](Q q ) be in the kernel of reduction. 
Then the multiples of P are as well, since the reduction map is a homomorphism 
of groups. This proves the corollary. □ 
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Figure 1: Newton polygon in case of ordinary reduction 



Combining Theorem 13.11 and Corollary 14.51 we get an elementary proof for the 
existence of a lift of relative Frobenius in the case of ordinary reduction. 

5 Algorithmic aspects of Frobenius lifting 

In this section we explain how one can apply the results of the previous sections 
in order to count points on elliptic curves over finite fields. 

Notation 

We first fix some notation that will be used in the following sections. Let Z 9 
denote the Witt vectors with values in a finite field ¥ q with q — p d elements, 
where p is a prime. We say that an element x £ Z q is given with precision m if 
it is given modulo p m . One can carry out arithmetic operations with precision 
m by considering the given quantities as elements of the quotient ring 1 q / (p m ). 
For the implementation of the arithmetic in Z q /(p m ) see [8] §2. 

5.1 Computing a Frobenius lift in the ordinary case 

Let now Z q denote the Witt vectors with values in a finite field ¥ q with q = p d 
elements, where p > 2 is a prime. Let E be an elliptic curve which is given by 
the equation 

y 2 = x(x — a) (x — b) 

where a, b € Z* and a ^ b mod p. We assume that E has ordinary good reduc- 
tion. By Corollary 14.51 and Theorem 13.11 there exists an explicit Frobenius lift 
F : E -> Eb\ Let and b^ be defined as in Theorem O 

Theorem 5.1. One can give a deterministic algorithm, which has as input the 
coefficients a and b of E with precision m and as output the coefficients a^ and 
b(p) of with precision m, such that its complexity equals 0(p 2+e (dm) 1+c ) 
for all e > 0. 
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Proof. In the following we give the algorithm, whose existence is claimed in the 
theorem. By ip p (x) we denote the p-th division polynomial corresponding to the 
points of order p on E (compare Section 2]). The algorithm is as follows. 

Algorithm 5.2. Input: a, be % q /{p m ); Output: a^\b^ G % q /{p m ) 

1. Compute ipp( x ) mod p m . 

2. Find a decomposition 

x^ ■ % = U(x) ■ W{x) mod p m (26) 

p— i 

where W(x) is monic and W(x) = x~^~ modp using Hensel's algorithm. 
Set 



V(x) = x 1 ^ ■ W 



3. Compute 

a ( P )= aP .(my modr and b ( P )= bP .(Ym 

\V(a)J \V(b)J 



First we prove the correctness of Algorithm 15.21 The p-th division polynomial 
ippix) is computed in Step [1] with precision m using the formulae of Section 3J 
Since E has ordinary reduction, it follows by Proposition ^. 4l that the polynomial 



x (p -i)/ 2 . ij) p (\/x) reduces modulo p to a polynomial of degree (p 2 — l)/2 which 
is divisible by a;^ -1 )/ 2 and not divisible by a bigger power of x. By Hensel's 
Lemma [HI Kap.II,Lem.4.6] one can find a decomposition of the form (|26[) 
lifting the factor x^^ 1 ^ 2 . The latter composition is computed in StepO By 
construction, the factor V(x) corresponds to a subgroup G < E[p](K) of order p 
contained in the kernel of reduction. One can apply Theorem 13. II to G in order 
to compute the coefficients and M p ) of the curve Eb\ This is done in Step 
[3J The polynomial V{x) differs multiplicatively from h(x) by a unit. Thus we 
have 

V(b) _ Kb) m 

T7T\ = TT\ mod P ■ 
V(a) n[a) 

This proves the correctness of the Algorithm 15.21 

Next we provide some well-known results about the complexity of the arith- 
metic operations in the Witt vectors of a finite field. Elements of Z q /(p m ) 
allocate 0(md log 2 (p)) bits if one stores them as integers. For details see [8] §2. 
Using fast integer multiplication techniques we conclude that a multiplication in 
Z q /(p m ) has complexity 0((md) 1+c log 2 (p) 1+e ) . Inversion of a £ Z q /(p m ) can 
be done using Newton iteration applied to the polynomial ax — 1 <E 1i q /(p m )[x]. 
The complexity of the Newton iteration is analyzed in [S] §2.5. The resulting 
complexity of an inversion is equal to that of the multiplication. Representing 
elements of Z q /(p m )[x] as integers and using a fast arithmetic for integers the 
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complexity of the multiplication of two polynomials in Z q /(p m )[x] of degree n 
becomes O ( (nmd) 1+e log 2 (p) 1+e ) . In order to prove the complexity bound of 
Theorem 15.11 we will analyze step- by-step the relevant parts of Algorithm 15.21 

Step [1} For the computation of the division polynomial ip p we use the for- 
mulae of Section [U Note that for every m > 5 the polynomial ip m can be 
computed in terms of polynomials forming a subset of the set 

. . . , Vn-2}, (27) 

where n = [ TO /2J • This shows that a recursive algorithm for computing ip p has 
depth [log 2 (p)J. The necessary polynomial multiplications to compute ip m in 
terms of the polynomials (|27|) can be performed in O (n 2+e {md) 1+6 log 2 (p) 1+e ) 
bit operations, since ip n has degree (n 2 — l)/2. Let s% = \p/2] + 2 and t\ — 
[p/2j - 2. We set 

Si = r£|±l+2 and ^=^-2 

for i > 1. In our case, we have to compute the polynomials tj) Si , . . . , ip^ for 
i > 1- By induction on i one can prove that 

Si < r|l + (i - 1) + 2 and t, > L|j - (i - 1) - 2. 

It follows that the number of polynomials to be computed on each recursion 
level grows linearly in the index i. Since i < |~log 2 (p)] we conclude that the p-th 
division polynomial ip p can be computed in 0(p 2+e (md) 1+e ) bit operations. 

Step [2^ Using the standard Hensel algorithm (see [6] Section 3.5.3) we ob- 
tain for the second step in the algorithm the complexity 0[p 2+e (md) 1+e ) . Note 
that Hensel's algorithm converges quadratically. We assume that one uses in 
each iteration the minimal precision required in order to get the correct result. 

Step [3j Evaluating a polynomial in Z 9 /(p m )[ir] of degree (p — l)/2 at a value 
in Z g /(p m ) has complexity 0((pm(i) 1+e ) . To achieve this complexity one uses 
a squaring table and a 2-adic representation of exponents. We do not describe 
this method in detail because it is standard. 

Summing up the above complexities we get the complexity bound as stated 
in Theorem 15.11 □ 

5.2 Generalizing Mestre's AGM algorithm 

Let E be an ordinary elliptic curve over a finite field ¥ q of characteristic p > 2 
given by the Weierstrass equation 

y 2 = x{x — a)(x — b) 

where o, b € ¥ q . 
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Theorem 5.3. The Algorithm \5.4\ which has as input a finite field F ' q and the 
coefficients a,b of E, computes the number of¥ q -rational points #E(W q ) on E 
in time 0(p 2+c c? 3+e ) ; where d = \og p (q), for all e > 0. 

We note that it is straight forward to modify the Algorithm 15.41 such that one 
can drop the assumption that #E[2](F q ) = 4. In the following let Z q denote 
the Witt vectors with values in ¥ q . 

Algorithm 5.4. Input: a, b g F g ; Output: #E(¥ q ) 

1. Set 

d = log p (q), and m = d + \d/2~\ + 2. 

2. Choose a,b £ 1, q /(jj m ) such that 

a = a mod p and b = b mod p. 



3. Compute the pairs 

(a, b), (ai, . . . , (a m _i,6 m _i), 

where at — a^ p > and hi = b^ f by iterating (m — 1) -times the Algorithm 
with precision m. 



4- Compute with precision m the triples 

(^mi ^mo C m ), . . . , (tt m -f-^_i, bm-^-d—X) C?7i-|-(i— l) 

where aj,6j are as in Step [5| and Ci is computed as follows: We use a 
modified version of Alaorithm \5.2] having as additional output the number 

c = lead(V) mod p"\ 

where lead(y) denotes the leading coefficient of the polynomial V(x) which 
is computed in Step\^ of Alaorithm \5.2l 



5. Compute 



6. Compute 



n 



m+d-l \ 1 

i=m °i \ „_ j „rn-d 



mod p" 



t = v + - mod p m ~ d . 

v 



Find the unique integer to in the interval [q + 1 — 2^/q, . . . , q + 1 + 2^/q] 
such that to = t mod p m ~ d . Return q + 1 — to. 



Proof of Theorem 15.31 First we prove the correctness of Algorithm l5.4l Morally, 
the correctness of the algorithm follows from the following observation, which 
can be explained using Corollary [ 
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Fact 5.5. Let E* be the canonical lift of E and let E be defined by the equation 
y 2 = x(x-a)(x-b), a,be1* q , (28) 

such that a = a mod p and b = b mod p. If we define E^ p ' for i > 1 as in 
Section^ then one has 

lim j (£<«">) = j(E*) 

n — >oo 

with respect to the p-adic topology. 

Let d and m be as in Step [TJ The choice of a and b in Step determines an 
elliptic curve E with defining equation of the form (|28p. Now let E^ p ' for i > 1 
be defined as in Section O We note that by Corollary 12.61 the curve 
with the coefficients a^ p "* - 1 and &( pm which are computed in Step[3l is the 
canonical lift over R/{p m ) of its reduction. The latter is also true for the curve 
E^ p ) with coefficients oS p ) and b^ p >, which are computed in Step 
01 The reductions of E^ p > and E^ p ~> coincide. As a consequence there 
exists a unique isomorphism 

V ; E ^ + d ^ E^^ 

defined over R/(p m ) such that the composed map 

$^^o^eEnd Ji/(r) (^ m " 1 )) 

reduces to the absolute Frobenius of the reduction & p \ The bijectivity of 
the reduction map on homomorphisms implies that ip = id and thus 

a (pm+d_1) ee a^ 1 ) mod p m and b ipm+d ^ = b^'^ mod p m . 

The map 

End fl/(?)m) (E (pm ^) - End F? (tf^ 1 )) (29) 

induced by reduction is bijective because of the characterizing property of the 
canonical lift. Let V = $ be the dual of the isogeny $. The isogeny lifts 
the absolute Verschiebung morphism of E^ p > . By the injectivity of ((29)) the 
equality 

V 2 - [t] o V + [q] = (30) 

holds in the ring 

End R/{pm) (E^ m -^), 

where t denotes the trace of the absolute q- Frobenius morphism on E^ pm \ As 
a consequence of equation (|30[) we get 
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We define v G R/(p m ) by the equation 

\y J y ' 

Note that the Verschiebung is a separable isogeny acting as a non-zero scalar 
on the differentials of E^ p ) over ¥ q . This shows that v is invertible modulo 
p m . We remark that on the other hand the scalar, which describes the action 
of F on differentials, is divisible by q. This is the reason why we work with the 
isogeny V instead of the isogeny $. We conclude from (f3Tj) that 

t = v + -modp m . (32) 

v 

The number of F 9 -rational points on E equals that of E& m ^ since the two 
curves are isogenous over ¥ q . This shows that the above number t is in fact the 
trace of the absolute Frobenius on E. 

In the following we describe the relevant steps of Algorithm 15.41 in more de- 
tail and give their complexity. 



Step [7J - In order to turn the congruence (|32p into an equality, which holds 
in Z, we have to choose the right precision. Hasse's Theorem (see [16] Ch. V, 
Theorem 1.1) states that 

\t\ <2y/q<pW*\+K 

We conclude that one can recover the value for t from the approximation modulo 
p m if one takes m = \d/2] + 2. It will be explained in Step [1] why we actually 
compute with precision d + \d/2] +2. 

Step\^ One has to iterate (m — l)-times Algorithm 15.21 with precision m. The 
resulting complexity of Step [3] is 0(p 2+e d 3+e ) by Theorem 15. II 

S'tep^J' Similar as in Step [3] the overall complexity of Step H is (9(p 2+£ d 3+£ ). 

Step\^ By Theorem 13. II the scalar nSif -1 °i describes the action of the Frobe- 
nius morphism on differentials. To obtain the value v as above, one has to divide 
the product °i by P° ''■ By doing so one loses precision d. This loss of 

precision is compensated by performing all necessary computations modulo m 
where m = d+ \d/2\ +2. □ 



6 Examples and practical results 

First, we illustrate the generalized AGM method by an example. Consider an 
elliptic curve of the form 

y 2 = x(x — a) (x — b), 
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over the integers of the degree 6 unramificd extension of Z3. Assume that a = 1 
and b is given be the congruence class of the polynomial 

191096x 5 + 198863x 4 - 40571x 3 + 247894x 2 + 127753a; + 193545 

in the quotient ring Z 3 [x]/(/), where / = x 6 + 2.x 4 + x 2 + 2x + 2 and the 
computing precision is 12. The generalized AGM sequence is given by the 
sequence of elliptic curves E n of the form 

y 2 = x(x - a n )(x - b n ) 

where a n and b n are as in the following table. Also we give the j-invariant j n 



n 


a n 


1 


-219543x b - 174456x 4 + 242538x a + 50793x^ + 73503x - 114671 


2 


244131x 5 + 164118x 4 + 59862x 3 + 81231x 2 + 5310x + 222361 


3 


36027x b + 182667x 4 - 141981x 3 + 77385x 2 - 236172x - 16334 


4 


-115041x b + 88929x 4 + 144273x 3 + 96438x 2 - 77580x - 52628 


5 


-199374x 5 + 26007x 4 + 115827x 3 + 119622x 2 - 251307x + 89887 


6 


111870x 5 + 262608x 4 - 100830x 3 - 12261x 2 - 165993x + 42697 


7 


-137418x t> - 174771x 4 + 117006x 3 - 114177.x 2 - 30474x + 3949 


8 


-88185x b - 220038x 4 + 18714x 3 + 254922x 2 + 197199x + 161044 


9 


35946x b + 201945x 4 + 205590x 3 + 80220x^ + 40443x + 94798 


10 


103659x b - 29412x 4 + 229809x 3 - 168675x 2 + 206487x + 255010 


11 


-163653x b + 125880x 4 - 159735x a - 90330x^ - 131751a; + 230584 


12 


-98082x 5 + 30786x 4 - 30846x 3 - 217839x 2 - 262221x - 36035 


13 


-163662x b + 48303x 4 - 263532x 3 - 173226x 2 + 245088x + 227023 


14 


-9453x b - 259404x 4 + 136812x 3 - 79689x 2 - 157095x + 42946 


15 


-200250x 5 + 260994x 4 - 89655x 3 + 21171x 2 - 254802x - 23300 


16 


103659x b - 206559x 4 - 124485x 3 + 8472x 2 + 29340x + 255010 


17 


-163653x b + 125880x 4 - 159735x 3 - 90330x 2 - 131751a; + 230584 
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n 


K 


1 


235370x a 4- 


28234a; 4 - 


212531a; 3 - 


159624a; 2 - 


170578a; 4 


- 222642 


2 


179553a; 5 - 


220534a; 4 + 


163518a; 3 4 


137832a; 2 4 


144738a; - 


f 181163 


3 


-6923a; 5 + 


12185a; 4 - 


178985a; 3 - 


215143a; 2 - 


105466a; - 


184699 


4 


-107763a; 5 


- 219958a; 4 


- 210434a; 3 


4- 237327a; 2 


- 82574a; 


4-52910 


5 


183685a; 5 - 


88458a; 4 + 


204515a; 3 - 


191205a; 2 + 


230688a; - 


- 264484 


6 


-49681a; 5 


+ 170291a; 4 


+ 80926a; 3 - 


-91913a; 2 - 


23405a; - 


227562 


7 


11162a; 5 4- 


249139a; 4 - 


- 81842a; 3 - 


137124a; 2 + 


213695a; 4 


- 60867 


8 


98634a; 5 + 


258878a; 4 + 


217977a; 3 4 


168018a; 2 - 


195678a; - 


- 57868 


9 


37951a; 5 - 


- 49618a; 4 + 


171340a; 3 4 


166043a; 2 4 


81806a;- 


53074 


10 


243858a; 5 


- 172816a; 4 


4- 174721a; 3 


- 183549a; 2 


4- 27505a; 


4- 1394 


11 


196078a; 5 


f 7770a; 4 + 


173897a; 3 - 


240777a; 2 - 


62370a; - 


177733 


12 


160271a; 5 


f 28136a; 4 - 


- 190262a; 3 - 


- 251564a; 2 - 


h 85945a; 4 


-96114 


13 


-28204a; 5 - 


111716a; 4 4 


- 259330a; 3 4- 184365a; 2 - 


- 134038a; 


- 188451 


14 


157683a; 5 4- 


180146a; 4 - 


- 175683a; 3 - 


- 207384a; 2 - 


h 60201a; - 


- 235015 


15 


156049a; 5 + 245627a; 4 - 


f 112291a; 3 


- 70153a; 2 4 


22757a; - 


112123 


16 


-110436a; 5 - 


f 181478a; 4 


- 179573a; 3 


4- 170745a; 2 


4- 27505a; 


4- 178541 


17 


196078a; 5 + 7770a; 4 + 


173897a; 3 - 


240777a; 2 - 


62370a; - 


177733 




n 


jn 


1 


-181949a; 5 


4- 191925a; 4 4- 123820a; 3 - 92832a; 2 


4- 68256a; 


- 32042 


2 


70082a; 5 - 


126707a; 4 + 


223201a; 3 - 


162933a; 2 - 


241398a;- 


f 66137 


3 


-72435a; 5 


- 250762a; 4 


4- 80515a; 3 - 


f 174612a; 2 - 


- 75519a;- 


- 23327 


4 


72391a; 5 4 


90594a; 4 + 


104200a; 3 - 


16026a; 2 4- 265050a; - 


231383 


5 


45809a; 5 + 89617a; 4 - 


56978a; 3 - 


260565a; 2 - 


41706a; - 153832 


6 


3543a; 5 - 


183856a; 4 - 


117449a; 3 - 


87666a; 2 - 


235494a; - 


68606 


7 


-36959a; 5 4 


- 204318a; 4 - 


t- 159118a; 3 - 


f 49341a; 2 - 


121563a;- 


- 205139 


8 


173384a; 5 - 


180113a; 4 - 


- 221003a; 3 - 


- 71025a; 2 - 


172197a;- 


- 258079 


9 


-97059a; 5 - 


- 63571a; 4 4 


- 153739a; 3 4 


- 126660a; 2 4 


- 162540a; 


+ 80110 


10 


-155057a; 


> + 263367a; 


4 4- 8215a; 3 - 


- 95001a; 2 + 


167121a;- 


- 27992 


11 


-43129a; 5 


4- 95449a; 4 


4- 133291a; 3 


- 149757a; 2 


- 93465a; 


- 2200 


12 


198186a; 5 4- 


172625a; 4 + 


212788a; 3 - 


109536a; 2 4 


103491a- 


f 198208 


13 


-155057a; 5 


4- 263367a; 4 


4- 185362a; 3 


4- 259293a; 2 


- 10026a; 


- 27992 


14 


-43129a; 5 


4- 95449a; 4 


4- 133291a; 3 


- 149757a; 2 


- 93465a; 


- 2200 


15 


198186a; 5 + 


172625a; 4 4- 


212788a; 3 - 


109536a; 2 4 


103491a;- 


f 198208 


16 


-155057a; 5 


4- 263367a; 4 


4- 185362a; 3 


+ 259293a; 2 


- 10026a; 


- 27992 


17 


-43129a; 5 


+ 95449a; 4 


4- 133291a; 3 


- 149757a; 2 


- 93465a; 


- 2200 



Theorem [23] and Corollary 12 .61 imply that jn = jn which agrees with our com- 
putation. One can see from the above computational evidence that an = an 
and 6n = 617. The scalar which gives the action of the absolute Frobenius lift 
En — * En on differentials is congruent 153819 modulo 3 12 . By the procedure 
which is described in Algorithm 15.41 one computes that the trace of Frobenius 
of the reduction of E equals —38. 
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We have implemented the Algorithm 15.41 in the computer algebra program- 
ming language Magma [2] . Using our experimental implementation we were able 
to compute the number of rational points of ordinary elliptic curves over finite 
fields of characteristic 3 of cryptographic size in a reasonable amount of time. 
For example, we computed the number of points on the elliptic curve given by 
the equation 



y z +xy = x d +s (33) 



where 



a = 2z 149 + 2z 14S + 2z 147 + z 146 + z 145 + 2z 144 + z 143 + 2z 142 + 2z 139 
+z 134 + 2z 133 + z 131 + z 130 + 2z 129 + z 128 + z 127 
+2z 12(i + z 123 + 2z 122 + 2z 120 + z 119 + 2z 118 + z 117 
+2z 113 + 2z lu + 2z 110 + z 109 + z 106 + z 105 + z w2 
+2z 101 + z" + 2z 97 + z 95 + z 94 + 2z 93 + z 91 

. o 90 88 , r, 87 . r, 86 . 85 . „ 84 . r, 83 

+2z + z + 2z + 2z + z + 2z +2z 

, 82 . 81 80 . 79 . r, 78 , r, 76 75 . 74 

+z + z +2 + 2z + 2z + 2z + z + z 

. o 72 . r, 71 . 70 69 . n 65 . 64 63 
+ 2Z + 2z +2 +2 +22 +2 +2 

i r. 62 . r. 59 . r. 58 . 57 . 56 , 55 54 
+ 2Z + 2z + 2z +2 +2 +2 +2 

, 53 50 , 49 . 47 44 . 43 . 41 40 
+22 +2 +2 +2 +2 +2 +22 +2 

+ 2 38 + Z 37 + 22 36 + 2 33 + 2 M + Z 3 ° + 2 28 + 22 27 

+22 24 + 2 23 + 22 19 + 22 13 + 22 12 + 2 11 + 2 10 

+22 8 + 22 7 + 2 5 + 22 4 + 2 3 + 2 

over F 3 i5 = ¥ 3 [z]/(f) with f(z) = z 150 + z 5 + z 4 + z 3 + z + 2. We computed 
using Algorithm 15.41 that the curve (|33[) has 

369988485035126972924700782451696643480338123589346780021422648929803646 

rational points over the finite field F 3 i 50 . The computation for this curve took 
639 seconds on an Intel Core 2 Duo (E7400@2.80GHz) computer with 8GB 
memory. 



7 Perspectives 

We suggest another potential application of the explicit formulae of Section [31 
The example of the introduction shows that also in the supersingular case the 
formulae of Theorem 13.11 can be used to compute an explicit lift of the relative 
p-Frobenius morphism. As one can see from the computational evidence, the 
computations take place over a ring of integers which is ramified at p. It is an 
interesting question whether one can use our formulae to compute an explicit 
lift of the absolute Frobenius morphism in the supersingular case. We expect 
that the answer to this question is positive. 

The algorithms presented in Section 15.11 and Section 15.21 may be improved 
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with respect to their complexity. This improvement might be relevant in prac- 
tice. The complexity bound given in Theorem 15.11 may be improved to a bound 
that is linear in p. In order to do so, one has to avoid computing with the p-th 
division polynomial, which has degree of order p 2 . Perhaps it is possible to use 
the formal group law of the elliptic curve E instead. We remark that the formal 
group incorporates the local part of the p-torsion, or equivalently, the kernel 
of reduction. Also it seems to be worthwhile trying to improve the complexity 
bound of Theorem 15 .31 with respect to d. One expects that there is an algorithm 
whose complexity is essentially quadratic in d. 
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